Navigation

User menu

You are here

Tomcat: Security Constraint Bypass und Cache Poisoning

Submitted on 11. August 2017 - 9:39 by robink.Last update on 11. August 2017 - 14:27.

IDs:

CVE-2017-7675, CVE-2017-7674

Keywords:

Tomcat, Cache Poisoning, Security Constraint Bypass, CORS, HTTP/2

Description:

Apache Tomcat fixes the vulnerabilities CVE-2017-7674 in versions 7.0.79 and 8.5.16, and CVE-2017-7675 in 8.5.16.

Airlock WAF and Airlock Login/IAM are not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.

CVE-2017-7675
Allows security constraint bypass using specially crafted URLs when using HTTP/2. Airlock Login/IAM is not affected in the default configuration, as HTTP/2 is not used. Airlock WAF does not use Tomcat 8.5 and is therefore not vulnerable. Back-ends behind Airlock WAF are not vulnerable, as HTTP/2 is not supported.

CVE-2017-7674
Allows cache poisoning when using the Tomcat CORS-Filter. The default configuration of Airlock Login/IAM is not vulnerable, as the filter is not used. Airlock WAF does not use the Tomcat CORS-Filter and is therefore not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.

Resolution:

CVE-2017-7674
Back-ends using Tomcat in versions 8.5.0 to 8.5.15 or 7.0.41 to 7.0.78 may be vulnerable if the Tomcat CORS-Filter is enabled. To avoid the cache poisoning attack, add a response header with name 'Vary' and value 'Origin' to the relevant mappings, or update Tomcat to version 7.0.79, 8.5.16 or higher.